I have strange issue which i really cant nail it - trying to do it for months - to set up honeypot within a jail.

I cant filter the traffic coming from jail to host running jails. Outgoing traffic to any other pysical host on internal networks works nicely but once i try to prevent traffic from jail to host it fails miserably.

The funny thing is that running tcpdump -i vnet0:3 is showing the traffic but pf doesnt block it.

block quick on vnet0:3 proto tcp from $jail_ip to any

There is one way i can do it, to actually block traffic on physical interface as 'in' rule but this seems clumsy.

The rule blocks fine if i try to access internet/internal network but fails if i try to access host.

Additional problem i have is writting rules, device is composed out of vnet0:<jail id> and the id is changing, how to fix this except scripting it?